uazo
commented
3 days ago does not seem logical to me. if someone wants to remove http support by acting with the flag, it is because they really want to remove it and in that case he would not want the browser to redirect. otherwise, the defaults are to warn the user and i think that's enough.
Preliminary checklist
Is your feature request related to privacy?
Yes
Is there a patch available for this feature somewhere?
There is not a patch, but this Chromium compatible extension can achieve this, to a degree, anyway.
Their code may be of interest: https://github.com/einaregilsson/Redirector
Describe the solution you would like
Currently, #cleartext-permitted only blocks access to connections sent over
http://, which sometimes causes HTTPS First Mode to get confused and throw an error page even if the site supports HTTPS.I propose a fix and some upgrades to #cleartext-permitted, as follows;
When enabled, and when HTTPS First Mode is also enabled, #cleartext-permitted should automatically redirect
http://tohttps://without throwing any error pages, (and to reduce loading times, do this without checking if HTTPS is supported).If HTTPS is not supported at all (ie; port is closed or returns an ICMP error) only then should the #cleartext-permitted error page be thrown, therefore acting like HTTPS Only Mode in Firefox when
dom.security.https_only_mode_send_http_background_requestis set tofalse.This change would also automatically trigger mixed content upgrades by default (like when a site sets
Content-Security-Policy: upgrade-insecure-requests, so any relative URLs within the HTML content of the page will be forced tohttps://as would any withhttp://, to further enforce HTTPS.Describe alternatives you have considered
Using https://github.com/einaregilsson/Redirector
However, it isn't perfect, sometimes confusing HTTPS First Mode (as mentioned previously), additionally, development has mostly ceased as the developer recently passed away.